There is a lot of buzz in the industry about Apple Pay and the hackers that have exploited the security behind the new mobile wallet trend. In the last two months, there has been a spike in fraudulent activity with Apple Pay. Despite the robust security built into Apple Pay, criminals have quickly found a work around and are setting up new iPhones with stolen credit card information, then impersonating the actual credit card account holder. They are using additional information easily found online about the person, thus tricking the financial institution into thinking they are the authorized user in order to verify the new card.
This doesn’t mean that merchants should steer clear of Apple Pay. Not yet at least. While there is definitely a blame game going on, it is becoming evident that the real issue in this fraud (the hackers excluded) does not lie with Apple, but is with the banks issuing the credit cards that consumers are using. An article entitled “Mobile Payments Fraud: A Blame Game Between Apple Pay and Financial Institutions,” details the current state of the finger pointing:
Since (banks) and credit unions are anxious to be an Apple Pay user's primary credit card, they are authenticating and verifying these card payments without additional levels of verification. They want to keep the process simple for account holders to add their cards, in keeping with Apple's philosophy of simplifying processes for its users. But in this instance, this push for simplification opened up a security hole - and criminals jumped right through it!
Who is to blame: The financial institutions or Apple?
According to an article on cnbc.com last month: "Both sides play a role because Apple could have done more," said Samuel Bucholtz, co-founder of Casaba Security. "But where the fraud is really coming from is the bank's verification of those cards. It's not a compromise of any Apple security system that Apple has put in place."
The fraud that is occurring is not in the Apple system, but is in the authentication process of the credit card. And Apple doesn't own this piece of it... the bank does. Patrick Moorehead of Forbes details this process:
Unknown to most, Apple actually sends additional information to the banks to help with authentication as outlined in the Apple Pay Security and Privacy Overview. It says, “…Then [Apple] sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”
According to the Apple iOS Security Guide’s section on Apple Pay, it very clearly states that in addition to location and iTunes activity, Apple encrypts and shares information like the last four digits of the phone number and the device name. The bank then determines if the card is approved for use with Apple Pay. All of this information can be helpful in verifying, but only if the banks use it and if they are not, they may have to fix their process as part of this.
Is it entirely the card issuing bank's fault? Should Apple have required more information to be shared for verification on all cards used? Would doing so have eliminated a perceived advantage by the consumer to use a card that required less information, at the risk of less security? Or perhaps, as one bank executive claimed, "they were so scared of Apple that they didn’t speak up. The banks didn’t press the company for fear that they would not be included among the initial issuers on Apple Pay."
Merchants: Be cautious, but move forward with Apple Pay
We believe Apple Pay is not going away. Nor are other mobile wallets. It is a very convenient service for a generation coming into money, and addicted to their phones. Our reliance on our mobile devices continues to grow, and merchants should be prepared to accept this new form of payment to attract more business. Stay up to date on the news and be cautious in your endeavors with Apple Pay, but don’t discount Apple. Since 1976, Apple has seen more reports of its pending failure than almost any other company, yet…look where they are today!